Google puts bounty on security bugs

Find a Google security bug and you could pocket a reward of $3,133.7.

Are you an avid vulnerability hunter who wants to earn an extra buck or two for your skills? If so, Google would like a word with you. The company has announced a new experimental reward program for those who find security bugs in Google's websites, following a similar and successful program from earlier this year. The rewards depend on the severity of the bug(s), but range from $500 to $3,133.7 (wow, clever).

According to Google's blog post on the topic, all of Google's Web properties are up for grabs—that includes YouTube, Blogger, Orkut, or any other website that manages sensitive user data or accounts. It's the user data that's important to Google, and the base reward starts at $500 if you manage to find a vulnerability—in a test account, of course. If you don't want the money, you can donate it to charity with a matching donation from Google.

Google's bounties aren't paid out for finding bugs in desktop apps, though that may change. Automated testing tools are also disqualified ("out of concern for the availability of our services to all users"), and attacks that involve social engineering, denial of service bugs, SEO black hat techniques, and bugs found in tech that was recently acquired by Google aren't covered either.

Additionally, minors can't qualify, nor can people who live in countries that are on sanctions lists, such as North Korea, Cuba, and Syria. "This is not a competition, but rather an experimental and discretionary rewards program," wrote Google's security team.

Google's new reward program echoes a similar one it launched for the Chromium project in January of 2010. According to the security team, the company has continued to see a sustained increase in high-quality reports from researchers even after the program has ended, and hopes to see similar results for the rest of its Web-based offerings.